Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

dmarc

The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail

The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.

Mar 11, 20267 min read
security

How to Set Up MTA-STS: Step-by-Step Guide with Policy File and DNS Records

A copy-paste walkthrough of all three MTA-STS parts: the _mta-sts TXT record, the mta-sts.txt policy file served over HTTPS at the well-known path, and the mx, mode, and max_age directives. Includes dig and curl validation steps to confirm each piece resolves before you switch from testing to enforce mode, plus how MTA-STS relates to TLS-RPT, DANE, and DMARC.

Mar 8, 20268 min read
security

MTA-STS vs DANE: Which Email Transport Security Standard Should You Use?

MTA-STS and DANE both force encrypted SMTP delivery, but they trust different things. MTA-STS uses HTTPS and the public CA system with a trust-on-first-use gap. DANE uses DNSSEC-signed TLSA records with no first-use window. Gmail and Outlook honor MTA-STS as senders but do not validate DANE when receiving, so publish MTA-STS for reach and add DANE where your DNS and receivers support it.

Mar 6, 20267 min read
deliverability

Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam

A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.

Mar 4, 20268 min read
deliverability

Email Blacklist Check: How to Tell If You're Listed and Get Delisted From Every Major DNSBL

A blacklist (DNSBL) is a live list of IPs or domains that mail servers query to decide whether to reject or spam-folder your email. This guide shows how to check if your domain or sending IP is listed, which blocklists actually affect delivery (Spamhaus, Barracuda, SpamCop, Microsoft) versus vanity lists you can ignore, and the root-cause checklist that makes delisting stick.

Mar 1, 20268 min read
spf

Why Email Forwarding Breaks SPF (and How SRS and ARC Fix It)

Email forwarding breaks SPF because the forwarding server sends from an IP that was never listed in the original domain's SPF record, so the check fails by design under RFC 7208. This guide explains envelope sender versus header From, why aliases and mailing lists fail, and how SRS repairs SPF while DKIM and ARC restore DMARC alignment.

Feb 25, 20266 min read
dkim

Multiple DKIM Selectors on One Domain: Signing for Google, SendGrid, Mailchimp and More

DKIM is designed for many keys on one domain. Each sending service publishes its own public key under a unique selector, so Google, SendGrid, Mailchimp and every other stream can sign mail independently. This guide maps the common selector conventions per provider, explains the one rule you cannot break, and shows how to verify every stream.

Feb 18, 20267 min read
dkim

DKIM Fails but SPF Passes: Why It Happens and How to Fix the Signature

When DKIM fails but SPF passes, the sending IP was authorized but the signature broke. This guide diagnoses the signature-level causes: body hash mismatch from list footers and forwarding, altered headers, missing selectors, truncated keys, and l= body-length quirks. Includes a symptom-to-cause table, a step-by-step verification loop, and how signature failures differ from DMARC alignment failures so you fix the right thing.

Feb 15, 20268 min read
deliverability

How to Read the Authentication-Results Header: Decode SPF, DKIM and DMARC

The Authentication-Results header is your receiving mail server's verdict on whether SPF, DKIM and DMARC passed. This guide annotates real headers from Gmail, Outlook and Yahoo field by field, gives a lookup table for every result value from pass to permerror, explains smtp.mailfrom, header.i and dis=, and ends with an if-X-failed-fix-Y decision tree so you can turn a confusing string into a fix.

Feb 8, 20267 min read
deliverability

Why Your Emails Go to Spam

When mail lands in spam, the first suspect is authentication, not content. Here are the SPF, DKIM and DMARC reasons and how to fix each one.

Jan 16, 20265 min read
deliverability

Google and Yahoo Sender Requirements

Since 2024, Google and Yahoo require senders to authenticate their mail. Here is what the rules actually ask for and how to comply.

Jan 14, 20265 min read
deliverability

SPF, DKIM and DMARC for Microsoft 365

Microsoft 365 sends your mail but does not authenticate your domain for you. Here are the exact SPF, DKIM and DMARC records to publish.

Jan 11, 20265 min read
PreviousPage 4 of 5Next